Don't set dbdir in the connection until after the connection is created.
    
    We were comparing the current connection with itself so were never
    going to call nss_shutdown(). dbdir needs to be set after the connection
    has been made.
    
    This worked on single server installs because we don't do a ping so
    NSS would never be pre-initialized. If multiple servers are available we
    call ping() to find one that is up before submitting the request, this is
    what would have pre-initialized NSS.
    
    This was tripping up request-cert because it will intialize NSS with no DB
    if it hasn't been initialized. We need to initialize it to validate the
    CSR.
    
    A non-working client was doing this when calling cert-request:
     - call load_certificate_request()
     - nss.nss_nodb_init()
     - load the CSR
     - create a connection, dbdir=/etc/pki/nssdb
     - the dbdir matches within the same connection, don't call nss_shutdown()
     - connect to remote server
     - fail, untrusted CA because we are still using db from nss_nodb_init.
    
    Instead if we set dbdir afterward then this will properly be shutdown
    and NSS re-initialized with correct dbdir.
    
    https://fedorahosted.org/freeipa/ticket/2498